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About this Book 


NetIQ Identity Manager 4.8 Service Pack 4 provides new features, enhancements, improves usability, 
and resolves several previous issues. 


Many of these improvements were made in direct response to suggestions from our customers. We 
thank you for your time and valuable input. We hope you continue to help us ensure that our 
products meet all your needs. You can post feedback in the Identity Manager Community Forums on 
NetIQ Communities, our online community that also includes product information, blogs, and links 
to helpful resources. 


The documentation for this product and the latest release notes are available on the NetIQ Web site 
on a page that does not require you to log in. If you have suggestions for documentation 
improvements, click comment on this topic at the bottom of any page in the HTML version of the 
documentation posted at the Identity Manager Documentation Website. 
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About this Book 


What’s New and Changed? 


Identity Manager 4.8.4 provides the following key features, enhancements, and fixes in this release: 


“New Features and Enhancements” on page 7 
“Component Updates” on page 9 
“Software Fixes” on page 10 


“What’s Deprecated for Removal?” on page 16 


New Features and Enhancements 


Identity Manager 4.8.4 provides the following key functions and enhancements in this release: 


* 


* 


* 


* 


"Platform Support” on page 7 
“Support for New Docker Version for Containers” on page 7 
”Enhancements in Identity Applications” on page 8 


”Enhancements in Identity Manager Containers” on page 8 


Platform Support 


In addition to the existing operating systems (OS), this service pack supports 


* 


* 


* 


Red Hat Enterprise Linux (RHEL) 8.4 
Open Enterprise Server (OES) 2018 SP3 
macOS 11 Big Sur for Designer 


NOTE: You must install Designer 4.8 and then update to 4.8.4 version. For more information, 
see NetIQ Designer Setup Guide for macOS 11. 


Support for New Docker Version for Containers 


This service pack supports new version of Docker with Identity Manager Containers. The supported 
version is 20.10.6. 


What’s New and Changed? 
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Enhancements in Identity Applications 


Identity Applications includes the following enhancement: 


New Property Introduced In the User Application Driver 


A new driver configuration property is introduced in the User Application Driver to automatically 
remove the login entry from the oidpInstanceData attribute when it reaches the size limit of 16 
KB. The Enable oidpiInstanceData attribute clean-up property is prompted for configuration while 
upgrading the User Application Base package to the latest version 4.8.4.20210706230504. By 
default, the value is set to true. For more information, see Modifying the User Application Driver 
Properties in the NetIQ Identity Manager - Administrator’s Guide to Designing the Identity 
Applications. 


NOTE: NetIQ recommends that you do not configure this property when OSP and Identity 
Applications are configured on different Tomcat instances using different port numbers. This known 
limitation will be addressed in an upcoming release of the User Application driver. 


Enhancements in Identity Manager Containers 


Identity Manager containers includes the following enhancements: 


+ “Handling RPM Updates and Third Party Files In a Container” on page 8 


+ “Starting the Remote Loader Instances Automatically After Container Deployment” on page 9 


Handling RPM Updates and Third Party Files In a Container 


This release provides an option to mount a directory and use the mount directory for storing all the 
common dependent files. In other words, it allows you to place the following dependent files in the 
mount directory and use those files within containers. 

* Driver RPM files for patching drivers to the required version 

+ Third-party JAR files or any other dependent files 


This allows you to perform a seamless update of containers without any manual intervention. This 
capability is currently supported for Identity Manager Engine and Remote Loader containers only. 


For more information, see Handling RPM Updates and Third Party Files in the NetIQ Identity 
Manager 4.8.4: Installation and Upgrade Guide. 


What’s New and Changed? 


Starting the Remote Loader Instances Automatically After Container 
Deployment 


This release allows you to start the Remote Loader instances automatically when the Remote Loader 
containers are deployed and brought up. You must create a startup file and place the file in the 
shared volume. The startup file that you create must be passed as an environment variable while 
deploying the Remote Loader container. 


For more information, see Starting Remote Loader Instances Automatically With Remote Loader 
Container Deployment in the NetIQ Identity Manager 4.8.4: Installation and Upgrade Guide. 


Component Updates 


This section provides details on the component updates. 


Identity Manager Component Versions 


This release adds support for the following components in Identity Manager: 


+ Identity Manager Engine 4.8.4 

* Identity Manager Remote Loader 4.8.4 
* Identity Applications 4.8.4 

* Identity Reporting 6.6.5 

+ Identity Manager Designer 4.8.4 

* Identity Manager Fanout Agent 1.2.6 


Updates for Dependent Components 


This release adds support for the following dependent components: 


+ NetIQ eDirectory 9.2.5 

+ NetlQ iManager 3.2.5 

+ NetIQ Self Service Password Reset (SSPR) 4.5.0.4 
+ NetIQ One SSO Provider (OSP) 6.4.6 

* Sentinel Log Management for IGA 8.4 


Third-Party Component Versions 


This release adds support for the following third-party components: 
* Azul Zulu 1.8.0 292 
* Apache Tomcat 9.0.50-1 


+ PostgreSQL 12.6 
+ OpenSSL 1.0.2y 


What's New and Changed? 
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+ ActiveMQ 5.15.15 
+ Nginx 1.20.0 


NOTE: The supported version of the Universal CEF collector is the same as Identity Manager 4.8.3. 
For more information on the supported versions for these components, see Third-Party Component 
Versions in the NetIQ Identity Manager 4.8 Service Pack 3 Release Notes. 


Software Fixes 


NetIQ Identity Manager includes software fixes for the following components: 


+ “Installation and Upgrade” on page 10 
+ “Identity Manager Engine” on page 11 
+ “Identity Applications” on page 11 

+ “Identity Reporting” on page 15 


+ “Designer” on page 15 


Installation and Upgrade 

NetIQ Identity Manager includes the following software fixes that resolve several previous issues in 
installation or upgrade: 

iManager Correctly Displays Saved Value in Driver Mapping Table 


When you enter a string in the Driver Mapping Table column and save, the table does not truncate 
the string and instead retains the complete string. (Bug 283078) 


Ability to Upgrade SSPR when Multiple SSPR Path Values Exist in 
setenv.sh File 


Duplicate instances of SSPR paths in the setenv.sh file cause no interruption to the SSPR upgrade. 
(Bug 325310) 


Issue with Redirect URL Value Set in Properties File 


Identity Manager 4.8 upgrade sets the com.netiq.rpt.redirect.url value to accurate URL in ism- 
configuration.properties file. (Bug 230916) 


What’s New and Changed? 


Identity Manager Engine 


if-attr Condition Correctly Evaluates Single Value and Multi Value 
Attributes in Engine 


The DTD documentation now describes the attribute value evaluation functionality of if-attr 
condition. (Bug 328466) 

Identity Applications 

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity 


Applications: 


Ability to Sort Responses of getWorkEntries API Call with Single and 
Multiple Addressee 
The updated Identity Applications sorts the getWorkEntries soap endpoint responses as per their 


time of creation. (Bug 321051) 


Identity Manager Dashboard Does Not Display Duplicate Roles in Roles 
Tile 


Roles tile in Identity Manager Dashboard now displays only direct role assignments list. In the 
Permissions page, you can select the Show all assignments option to view both the direct and 
indirect role assignments. (Bug 307004) 


User Search Returns Dynamic Entity Value Set to Full Name or Label 
Based on the Position of User in Search Results 
With Custom Default value, the Dynamic Entity value is set to full name when user is within search 


limit else the label gets set. (Bug 313005) 


Identity Applications Does Not Trigger Permissions API to Access 
Applications Page 


The enhanced Identity Application triggers the /IDMProv/rest/access/permissions API call only to 
add permissions in the Edit Landing page. (Bug 327165) 


RRSD Driver Successfully Processes Expiry Evaluation without eDirectory 
Crash 


The 4.8.4 release handles nrfTimer thread execution in Role and Resource Service Driver. (Bug 
328726) 
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IDM Availability Setting Deletion Successfully Removes its Objects 
Completely in iManager 
Availability setting deletion in Identity Manager correctly eliminates the DelegatorAssignment 


Object along with DelegationAssignment object. (Bug 230989) 


Ability to Add and Remove User from a Group Simultaneously During 
Role Recalculation 


The Role and Resource Server Driver has been enhanced to retain all the inherited roles without any 
error during add and remove task operations. (Bug 331029) 


Missing nrfinheritedRoles value for Child Role During Role Recalculation 
Does Not Display Error 
The nrfinheritedRoles value is corrected when inherited roles attribute for user is unavailable. (Bug 


331028) 


RRSD Driver No Longer Returns Null Pointer Exception During Role 
Recalculation Without Cause Element 
The updated Role and Resource Service driver recalculates the cause element with assigned group 


information and update it wherever necessary. (Bug 331027) 


Request Catalog Display Request status or Resource Assignments Search 
Results Correctly 


The Request Catalog does not repeatedly search for a user when multiple request statuses or 


resource assignments are entitled to the user. (Bug 324175) 


Start Workflow Correctly Passes Date to Workflow Engine After Identity 
Application 4.8 Upgrade 


The Start Workflow policy action now passes the date in appropriate format for the Workflow Engine 
and executes processDataltemsWithRequestParams() successfully. (Bug 322287) 


Issue with Role Revocation and Resource Assignments in RRSD Driver 


When you assign same resource to multiple roles and initiate role revoke for a user, the RRSD driver 
does not display any exception. (Bug 322155) 


What’s New and Changed? 


Select Component Successfully Resets to Display Results Based on the 
User Selection 


Form Builder now correctly resets the select component results to display empty list if the selected 
user has no direct reports. (Bug 322045) 


Ability to Handle LDAP Read Time Out Errors 


Identity Application is enhanced to ensure all LDAP requests gets respective responses from the 
eDirectory. (Bug 321149) 


RRSD Driver Executes All Other Events Correctly Prior to 
nrf:resourceassociation Event Execution 


Both resource object and assigned resource on user must have entitlement reference. When you 
revoke a resource and the assigned resource does not have entitlement reference, a status warning 
message displays in RRSD logs. (Bug 319305) 


getWorkEntriesRequest Soap Endpoint Functionality is Independent of 
the Characters Specified in User Name 


The getWorkEntriesRequest SOAP endpoint is case insensitive and returns all tasks assigned for the 
user. (Bug 318332) 


Ability to Handle Subsequent Start Requests Once 
getCommentsByActivity API Triggers 


The updated Identity Application executes Start soap endpoint requests without any errors post 
getCommentsByActivity API trigger. (Bug 320014) 


getContainer() Successfully Retrieves Role Assignment Details 


The SOAP role service method returns the role assignment details only when there are roles 
assigned to container DN. (Bug 311049) 


Event Move Operation No Longer Stacks Events 


This release updates driver policies that enable the RRSD driver to move events from one container 
to other, while ignoring the time consuming events. (Bug 290145) 


Form Builder Output Correctly Displays Configured DN Both in Preview 
and Renderer View 


When you deploy a form, it uses the displayed DN value in Data Tab. (Bug 232103) 
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User Search Query in Delegation No Longer Takes Time to Retrieve and 
Display the Results 


The Identity Manager Dashboard is enhanced to search all the users that match the input text and 
return the results in Delegation promptly. (Bug 231535) 
Identity Application’s Role Page Load Termination Does Not Log Errors 


Navigation to other Identity Applications page or execution of other tasks while loading roles in the 
Role page no longer log errors in the catalina.out file. (Bug 231037) 


Ability to Perform User Search and Filter All the Relevant Results for 
Delegation and Availability 
Identity Manager Dashboard allows LDAP query to filter all the relevant team members in selected 


team for both Delegation and Availability. (Bug 329311) 


Accessing Others Tab in Permissions Does Not Rely on either Addition or 
Removal of Roles and Resources 
Identity Apllications’ Others tab is common for all the users with various assigned permissions, roles 


and resources. (Bug 329658) 


Bulk Approval of Tasks Ignore Approval Forms with Empty Required 
Fields 


Identity Manager Dashboard no longer process approval forms with empty required fields during 
bulk tasks approval. (Bug 316140) 

Start API No Longer Passes Empty Date String During Date Formatting 
Data Item Mapping generates correct values when date string is empty and successfully performs 


date format. (Bug 327325) 


Ability to Successfully Transfer Client Settings from Database to Other 
Location Using MigrationSettings.jar 
MigrationSettings.jar does not rely on the client id in the file name to copy or import client settings. 


(Bug 258167) 


Event Handlers in Driver Correctly Clears oidpinstanceData Attribute 
Value 


Timely cleanup of oidpInstanceData attribute value results in successful eDirectory synchronization. 
(Bug 230616) 


What’s New and Changed? 


getCommentsRequest Trigger Returns Responses Without a Task Claim 


The getCommentsRequest SOAP endpoint is updated to execute successfully and return the 
appropriate responses. (Bug 368103) 


Issue to Load Dashboard Page when Anonymous Bind is Set for LDAP 


Server 


Identity Applications allows you to access Dashboard page without any issues when the configured 
LDAP server has anonymous bind option set. (Bug 318202) 


Identity Reporting 


NetIQ Identity Manager includes the following software fixes that resolve several previous issues in 
Identity Reporting: 


Identity Reporting Supports TLS1.2 Protocol to Download Reports 
Through Local Repository 


The updated Identity Reporting uses same protocol version as of the server to connect and 
download reports from local repository. (Bug 314426) 


Designer 


NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer: 


Provides an Option to Enable TLS for “Do Send Email” Action 


You can now configure the Use TLS field value in a policy while sending an email using the do-send- 
email action. Only Identity Manager 4.8.2 and above versions has this field enabled. (Bug 316259) 


Ability to Import Schema Files in LDIF Format 


The Designer is enhanced to import schema file using Idif file without any error. (Bug 327308) 


Introduces Get Token Field in the Query Element 


Designer now allows you to set the get token field value in Argument editor to retrieve available 
objects result pages. The default value for the get-token field is true. This field is enabled for Identity 
Manager 4.8 and above versions. (Bug 316259) 


Ability to Successfully Import Server Objects and Deploy Drivers when 
the Non-secure Port is Unavailable 


You can now import server objects, deploy newly imported server specific GCV’s and driver 
successfully irrespective of the availability of non-secure port. (Bug 318024 and Bug 303040) 


What’s New and Changed? 15 


16 


Displays Zero Errors, in the Project Validation Report, when the if-dest- 
attr is Used in a Project 


Correct declaration of if-dest-attr element type in project displays no errors in project validation 
report. (Bug 322013) 


Ability to Successfully Create or Update the Conditions in DAL Without 
Any Errors 


The updated Designer now allows you to modify, add or delete conditions in relationships and 
queries successfully. (Bug 314124) 


Replaces the Designer Tutorials, that were Adobe Flash Based, with MP4 
Format 


From 4.8.4 release onward you can access MP4 file format supported Designer tutorials. (Bug 
321361) 


What’s Deprecated for Removal? 


A resource definition can have no more than one entitlement bound to it. Associating multiple 
entitlements with a single resource using SOAP endpoint is deprecated from this release and will be 
discontinued in future. NetIQ recommends that you associate one entitlement per resource while 
creating a resource with entitlement. You can configure the resource on the New Resource page 
from the Identity Applications Admin interface. For more information, see NetIQ Identity Manager - 
Administrator’s Guide to the Identity Applications. 


NOTE: There is no change required for the existing resources with multiple entitlements. You can 
continue to assign and revoke these resources in the application. 


What’s New and Changed? 


) Installing or Updating to This Service Pack 


For information on installing or updating to this service pack, see the NetIQ Identity Manager 4.8.4: 
Installation and Upgrade Guide. 
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Known Issues 


NetIQ strives to ensure our products provide quality solutions for your enterprise software needs. 
The following issues are currently being researched. If you need further assistance with any issue, 
contact Technical Support. 

+ “Unable to Display Selected Tab Name in the Designer Ul with macOS 11 Big Sur” on page 19 


+ “User Application Cannot Add or Remove Users from Roles if the User have Numerous Role 
Assignments” on page 19 


+ “iManager Container Update Removes Previously Installed iManager plug-ins” on page 20 


Unable to Display Selected Tab Name in the Designer UI 
with macOS 11 Big Sur 


Issue: In the Designer user interface, when you select a tab, the selected tab name goes incognito, 
while the other tab names display appropriately. (Bug 321172) 


This issue is observed only when you access Designer on macOS 11 Big Sur. 


User Application Cannot Add or Remove Users from Roles 
if the User have Numerous Role Assignments 


Issue: When a new parent role with a child role is assigned to user the nrfInheritedRoles 
attribute in user, stores the requester and approval information of how the child role is mapped to 
parent role. If the child role is mapped to numerous parent roles (say 100) and are assigned to same 
user then, this results in inheritedRoles attribute value exceeding the threshold size limit and 
does not allow creating new assignments to the user. 


Workaround: Include driver configurations in Role and Resource Service Driver that adds the 
assignment details only if the configuration value is enabled. 


Perform the following actions: 


1. Log in to iManager. 


2. Navigate to Identity Manager Overview, select a driver set. 


w 


. In the Driver Set Overview, click the Role and Resource Driver and select Stop Driver to stop the 
Role and Resource Service Driver. 


. Click Role and Resource Driver and select Edit Properties. 
. Navigate to Driver Configuration > Driver Parameters, and then click Edit XML. 
. Inthe Drive Parameters (XML) select the Enable XML editing check Box. 


N DOD Ww A 


. Add below entry in the definitions section. 
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<definition display-name="Disable adding assignment details to 
nrfInheritedRoles attribute" id="115" name="disable-inherited-roles- 
cause" type="boolean"> 
<description>This setting disables the update of requester 
information in the nrfInheritedRoles attribute.</description> 
<value>true</value> 
</definition> 
<definition display-name="Disable adding assignment details to 
nrfGroupRoles and nrfContainerRoles attribute" id="116" name="disable- 
group-container-cause" type="boolean"> 
<description>This setting disables the update of requester 
information in the nrfGroupRoles and nrfContainerRoles attributes.</ 
description> 
<value>true</value> 
</definition> 


8. Click OK. Click Apply and then OK. 
9. Stop eDirectory. 
ndsmanage stopall 
10. Update jar file to the latest version. 


Windows: Navigate to extracted folder of Role Resource Service Driver and copy the 
nrfdriver.jar fileto<Identity Vault installation path>\eDirectory\lib 
directory. For example, /opt/novell/eDirectory/lib/dirxml/classes 


Linux: Install the new RPMs by running the following command:rpm -Uvh <Driver Patch 
Directory>/linux/netiq-DXMLrrsd.rpm 


11. Start eDirectory. 
ndsmanage startall 


iManager Container Update Removes Previously Installed 
iManager plug-ins 


Issue: After iManager container is updated to the 3.2.5 version, any plug-ins that were installed 
previously are removed from iManager. (Bug 379425) 


Workaround: There is no workaround for installing the previously installed plug-in versions. 
However, you can install the latest plug-ins by following the steps mentioned here. 
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